Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cybersecurity BriefingCFO CouncilJune 2021
2 CFO Council (June 2021) | Cybersecurity Briefing
About today’s speakers
Justin Greis Michael Hinckley
• Partner, Ernst & Young LLP• Chicago, Illinois• Global and Americas Cybersecurity
Strategy, Risk, Compliance, and Resilience Leader
• Senior Manager, Ernst & Young LLP• Nashville, Tennessee• Technology Risk, Compliance, and
Assurance
michaelhinckley.com
linkedin.com/in/michael-hinckley-ba14239
@hinckleysong
justingreis.com
linkedin.com/in/justingreis
@JustinGreis
3 CFO Council (June 2021) | Cybersecurity Briefing
South Carolina Market Leaders
Jessica Donan Jennifer Walker
• Partner, Ernst & Young LLP• Greenville, South Carolina• Greenville Office Managing Partner,
Financial Accounting Advisory Partner and US-Central Region Mobility Sector Assurance Leader
• Senior Manager, Ernst & Young LLP• Charleston, South Carolina• Assurance and Consulting Services
https://www.linkedin.com/in/jennifer-walker-6929971a6/
linkedin.com/in/jessica-donan
Agenda
1 Today’s security landscape
Five common themes in cyber program assessments2
3 Cybersecurity Maturity Model Certification (CMMC) update
4 Questions and answers
Today’s security landscape
CFO Council (June 2021) | Cybersecurity Briefing
6 CFO Council (June 2021) | Cybersecurity Briefing
Cyber threats continue to evolve and increase cyber risk exposure
Unsophisticated attackers (script kiddies)
Sophisticated attackers (hackers)
Corporate espionage (malicious insiders)
State-sponsored attacks(APT)
Organized crime (criminal networks)
Attacker resources and sophistication
Ris
k
Scri
ptki
ddie
sH
acke
rsM
alic
ious
insi
ders
Crim
inal
netw
orks
APT
Any information of potential value to sell or use for extortion/ransom:• Cash/Bitcoin• Credit cards• Identities• Inside information• Intellectual property• Manipulation of
systems• Industrial espionage
and competitive advantage
• State-sponsored espionage
• Market/economic manipulation
• Competitive advantage
• Military/political objectives
• Cognitive warfare• Social and opinion
influence
• Revenge• Personal gain• Stock price
manipulation• Competitive advantage• Money
• Embarrassment• Political, social and
environmental causes• Amusement or experimentation
• Nuisance or notoriety
7 CFO Council (June 2021) | Cybersecurity Briefing
Cybersecurity incidents are on the rise and billions of records are lost each year
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
0
20
40
60
80
100
120
140
160
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
In M
illio
ns
Count of cybersecurity incidents Number of records lost (if disclosed) Data as of April 2021
“Age of extortion”“Age of exfiltration”
• Cyberattacks have become far more destructive
• An increasing number of companies are not able to recover critical data or systems
• “Double extortion” ransomware has significantly increased over the past two years
• Cyber insurance premiums rising (↑20%–50%), and some may no longer cover extortion payouts to criminals
Publicly reported cybersecurity breaches and total records lost
8 CFO Council (June 2021) | Cybersecurity Briefing
Shadow investigations have increased five-fold since 2020
Ransomware trends
• Ransom paid now routinely in millions• Significant gaps in resiliency, and a big disconnect
with business continuity and disaster recovery plans• Large majority of attacks focused on Windows AD• Insurance coverage a large factor in payment• Theft of [old] unstructured data increasing• Strong monitoring and expedited response key to
mitigating impact
Business email compromise trends
• Multifactor authentication and zero trust architecture not deployed in email environments
• Switch routing of payables, receivables or payroll• Suspicious geographic monitoring and email box rule
detection helps with response
41%
21%
6%
7%
13%
12%
Ransomware Business Email Compromise
Malware Data Exfiltration
Unauthorized access Other
Shadow investigations* by incident type
*Independent forensic investigation of a cyber incident or breach
OTH
UA
BEC
RW
MAL
DE
(RW)
(MAL)
(UA)
(BEC)
(DE)
(OTH)
9 CFO Council (June 2021) | Cybersecurity Briefing
19%, H&LS
14%, Tech
15%, CP&R
3%, B&CM
9%, H&C
10%, AM
11%, PF&S
4%,M&E
3%, G&PS
4%, Ins3%, Mob
5%, Other Health & Life Sciences
Technology
Consumer Products & Retail
Banking & Capital Markets
Hospitality & Construction
Advanced Manufacturing
Professional Firms & Services
Media & Entertainment
Government & Public Sector
Insurance
Mobility
Other
Threat actors are opportunistic and generally target companies likely to pay
• Three sectors comprise nearly 50% of the recent shadow investigations:• Health and life sciences• Technology• Consumer products and retail
• No sector is immune!• Don’t discount the perceived value
of the data in your organization.• You may not be the target, but
rather a means of getting to the real target.
• There is an increase in supply chain attacks.
• Preparation is key: those who trained and exercised their program were able to limit the damage.
Shadow investigations by industry
48%
Five common themes in cyber program assessments
CFO Council (June 2021) | Cybersecurity Briefing
11 CFO Council (June 2021) | Cybersecurity Briefing
A framework for evaluating cybersecurity programs
Data protection
Identity and access management
Security architecture and
engineering
Product security
Vulnerability identification &
remediation
Metrics and reporting
Cyber compliance
Privacy
Insider threat
Security infrastructure
Secure software development and
management
Cloud security Operational technology
Threat intelligence
Security monitoring
Incident response
Gov
erna
nce,
ris
k, a
nd c
ompl
ianc
e
Governance, risk, and compliance
Policy and standards
Security education and awareness
Governance, operating model and organization
Third-party and supply chain risk management
Cyber risk management
Bus
ines
s &
IT s
trat
egy
Res
ilien
ceIT
ass
et m
anag
emen
tPh
ysic
al s
ecur
ity
Org
aniz
atio
nal p
artn
ersh
ips
Identity and access
management
Security architecture
and engineering
Security operations
Data protection
and privacy
12 CFO Council (June 2021) | Cybersecurity Briefing
Milestone 2
Milestone 2
Companies are relatively good at assessing, identifying risk and building roadmaps …
1
2
3
4
5
Denial of service
Malicious users
Inadvertent disclosure
Extortion
High Medium Low
Hig
hM
ediu
mLo
w
Strength of existing controls
Inhe
rent
ris
k
Risk threshold
Inappropriate use
Social engineering
Phishing
Spam
Theft of equipment
Hacker (application)Malicious code
Hacker (network)
Complete
At RiskBehind Schedule
On Schedule
New Milestone
Deferred or Dropped
Notes: 1 Footnote text, 2 Footnote text, 3 Footnote text, 4 Footnote text, 5 Footnote text
Nov. 30 Dec. 31 Jan. 31 Feb. 28 Mar. 31 Apr. 30Capabilities
People
Process
Technology
Project 1
Project 2
Project 3
Project 4
Project 5
Project 6
Project 7
Project 8
Milestone 3
Milestone 1
Milestone 2
Milestone 1
Milestone 1
Milestone 1
Milestone 1
Milestone 1
Milestone 1 Milestone 2 Milestone 3
Process Capability 1
Tech Capability 1
People Capability 1
Milestone 2
Milestone 2
Milestone 3
Today
Projects
NIST Cybersecurity Framework (CSF)
Framework
Cyber framework and capabilities assessment
Risk and controlseffectiveness analysis
Strategy and initiativeor investment road map
13 CFO Council (June 2021) | Cybersecurity Briefing
… but they often overlook three critical elements for effective cyber-business integration
1
2
3
4
5
Alignment to business goals and objectives• Mapping of cyber strategy to business
and IT strategy• Establish risk profile to align to
business goals and anticipate needs• Apply appropriate levels of controls to
protect the things that matter most
Engagement and communication mechanisms with business stakeholders• Service catalog with
engagement mechanism and cost chargeback
• Communication and governance channels (bi-directional)
• Performance reporting mechanisms
Satisfaction with performance and delivery of security services• Feedback loops from the business and
key stakeholders• Escalation paths when adjustments
and attention is needed• Recognition for exceptional
performance and service
Cyber-business
integration2
1
3
14 CFO Council (June 2021) | Cybersecurity Briefing
Security architecture must “shift everywhere”
1
2
3
4
5
Shift left (West)• Secure SDLC and DevSecOps• Security and privacy by design• Certifications and continuous testing
assurance (as a testing producer)
Shift right (East)• Certifications and attestations• Proactive regulatory “mappings” and
transparent regulatory response
Shift up (North)• Reporting, communications,
visibility and accountability• Budgeting and resource allocation
Shift down (South)• Enhanced standards and testing (as a
testing consumer)• Zero trust architecture
Securityarchitecture
compass
N
S
W E
Vendors, third parties, andsupply chain ecosystem
Engineers, product managers
and customers
Regulators and public policy community
Management
15 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Company identifies a business need and decides to procure software or services from a third party
16 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendors compete and eventually a service provider or solution is selected (and sometimes is a factor in the selection)
17 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendor security questionnaire is submitted to the vendor by the company
18 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendor completes questionnaire and submits required evidence, certifications, or documentation
19 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendor passes or fails the evaluation; remediation or mitigation may be required
20 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendor moves to contracting process
21 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Vendor is engaged and work begins
22 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
1
2
3
4
5
Solution and/or software deployed in the company environment
23 CFO Council (June 2021) | Cybersecurity Briefing
Traditional third-party risk management programs do not protect against supply chain attacks
Third-party security risk management basic hygiene checklist
1
2
3
4
5
1. Questionnaires and certifications do not equal code/solution testing
2. Ongoing testing (periodic & triggered) > point-in-time evaluations
3. If vendors do not test their code/solutions with each release, you must. If they do, make them prove it; and you should likely reperform the testing in your environment anyway…
4. Nth-parties (vendors of vendors) pose just as big a risk as the primary vendor
A complete vendor list
Procurement channels and shadow IT
Vendor tiering and evaluation criteria for each tier
Re-evaluation schedule and triggers
Evidence and documentation analysis
Vendor risk monitoring and governance
1 2
34
1
2
3
4
24 CFO Council (June 2021) | Cybersecurity Briefing
Greater visibility and enhanced monitoring does not necessarily mean better response (but it could)
2
3
4
1
5
• Depth (type/amount of data) and breadth (BU, geographies, products, etc.) of monitoring scope
• Business stakeholder integration and system ownership
• Operational technology (OT) environments
• “Black box” SOCs (security operations centers)
• Threat hunting and active defense finds problems before they become problems
• Alert qualification and investigation• SOC playbook and communication
protocols• Level 3 hand-offs, especially for MSSPs• Automation versus manual processes;
get ready for huge increase in volumeIncidents Blocks Alerts Info Insights
Security operations
center
25 CFO Council (June 2021) | Cybersecurity Briefing
Cyber reporting, metrics and dashboarding are missing some critical elements before it can elevate cyber maturity
2
3
4
1
5
Common missing pieces…• Infusion of business
context information• Persona and audience
definition• Reporting visibility and
risk governance• Interpretation in “plain
language”• Automation and
notifications• Accountability for KPIs
and KRIs within defined personas
• Historical trending and future predictive modeling
Metrics library
Data model
Data lake
B HE K NA C D F G I J L M …Source systems
Tool 1 Tool 5Tool 2 Tool 3 Tool 4Security tool stack
Analytics, metrics,and data model
Reporting and visualization
Missing pieces…
Cybersecurity Maturity Model Certification (CMMC) update
CFO Council (June 2021) | Cybersecurity Briefing
27 CFO Council (June 2021) | Cybersecurity Briefing
CMMC update
The Department of Defense (DoD) CMMC program was initiated in an effort to stop the erosion of US defense capabilities caused by the exfiltration of information from contractor networks.
CMMC is an attempt by the DoD to standardize, validate and enforce cybersecurity practices, which is a shift from the self-attestation model currently utilized under DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012.
CMMC will require any contractor bidding to work on a DoD contract to first undergo an assessment by an independent third-party organization to verify that certain cybersecurity standards are met.
It is likely that this requirement will impact more than 300,000 companies and that noncompliance with CMMC could threaten these organizations’ ability to qualify for DoD contracts going forward.
CMMC
Scope and applicability
• Non-federal entities (industry, academia, state, local and tribal governments)
• Controlled Unclassified Information (CUI) —information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls
Complying with regulatory requirements
• Projected timeline of the CMMC program rollout:
• DoD is planning to roll out CMMC over the next five years with the goal of having 300k+ contractors certified by 2025.
DoD candidate programs (15 December 2020)
• Army
• Navy
• Air Force
• Missile Defense Agency
Preparing for the future
• CMMC maturity levels:
• Level 5 — advance/progressive
• Level 4 — proactive
• Level 3 — good cyber hygiene
(SP 800-171)
• Level 2 — intermediate cyber hygiene
• Level 1 — basic cyber hygiene
CMMC compliance considerations
• Reciprocity with other US Government regulatory frameworks (i.e., FedRAMP)
• Control deficiency expectations
• Development of a System Security Plan (SSP)
28 CFO Council (June 2021) | Cybersecurity Briefing
Supporting our national security
The DOD CMMC program was initiated in an effort to stop the erosion US defense capabilities caused by the exfiltration from contractor networks.
• “Industrial security scored the lowest among the eight dimensions with a 63 for 2019. In fact, industrial security has gained prominence as massive data breaches and brazen acts of economic espionage by state and non-state actors plague defense contractor in recent years.”
• “The trend for cyber vulnerabilities indicates a tremendous change for the worse in global cybersecurity conditions.”
• “DoD’s demand for defense goods and services has trended sharplyupward since 2017.”
Vital Signs 2020: The Health and Readiness of the Defense Industrial Base, National Defense Industrial Association (NDIA)
29 CFO Council (June 2021) | Cybersecurity Briefing
Converting CMMC challenges into opportunities
Alignment on protecting the
enterprise
Organizational integration
Valuecreation
30 CFO Council (June 2021) | Cybersecurity Briefing
Converting CMMC challenges into opportunities
CMMC steering committee
• Chief executive officer
• Chief operating officer
• Chief growth officer
• Chief information officer
• Chief information security officer
• Chief risk officer
• Internal audit
• General counsel
• ProcurementAlignment on protecting
the enterprise
Organizational integration
Valuecreation
31 CFO Council (June 2021) | Cybersecurity Briefing
Converting CMMC challenges into opportunities
People
• Develop workforce of the future
• Integrate internal and external stakeholders
Process
• Optimize enterprise-wide protection
• Integrate people and data
Technology
• Enable high value data protection
• Enable governance risk and compliance
Alignment on protecting the enterprise
Organizational integration
Valuecreation
32 CFO Council (June 2021) | Cybersecurity Briefing
Converting CMMC challenges into opportunities
Risk reduction and operational efficiencies
• Unified and clear vision of stakeholder expectations
• Informed decision-makers across the organization
• Organization growth potential with existing or new potential clients
• Comprehensive understanding of services being provided to the US government
• Improvement in quality of risk information and data availability for decision-making
• Single point of truth for critical risk management matters
• Increased confidence with cyber maturity and investments
Alignment on protecting the enterprise
Organizational integration
Valuecreation
33 CFO Council (June 2021) | Cybersecurity Briefing
EY CMMC and Cyber thought leadership
What should be top on mind to continue preparing for CMMC:
Click here
What to do when faced with ransomware:
Click here
Questions and answers
CFO Council (June 2021) | Cybersecurity Briefing
THANK YOU
JustinGreis
Michael Hinckley
EY | Building a better working world
EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more,of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
© 2021 EYGM Limited.All Rights Reserved.
2105-3779053ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, legal or other professional advice. Please refer to your advisors for specific advice.
ey.com